[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 18 May 2011 16:13:05 -0400
From: Dan Rosenberg <dan.j.rosenberg@...il.com>
To: oss-security@...ts.openwall.com
Cc: klibc@...or.com
Subject: Re: [klibc] CVE request: klibc: ipconfig sh script
with unescaped DHCP options
Might it be worth fixing the insecure temporary file usage?
122 snprintf(fn, sizeof(fn), "/tmp/net-%s.conf", dev->name);
123 f = fopen(fn, "w");
What if someone else has already created that file, or put a symlink
or hard link there? What if someone overwrites your string with
command injection characters despite your stripping?
-Dan
On Wed, May 18, 2011 at 4:44 AM, maximilian attems <max@...o.at> wrote:
> Related to CVE-2011-0997
>
> ipconfig vulnerability for malicious dhcpd if $DNSDOMAIN is later
> used unquoted, than proof of concept involves
> DNSDOMAIN="\\\"\$(echo owned; touch /tmp/owned)"
>
> fix:
> http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=46a0f831582629612f0ff9707ad1292887f26bff
> will be part of the just to be released klibc-1.5.22
>
>
> --
> maks
>
> _______________________________________________
> klibc mailing list
> klibc@...or.com
> http://www.zytor.com/mailman/listinfo/klibc
>
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Powered by Openwall GNU/*/Linux -
Powered by OpenVZ
